IAM Supervisor Agent

The IAM Supervisor Agent by Performanta functions as an autonomous identity security analyst, orchestrating the end-to-end investigation of compromised user accounts within your Microsoft Sentinel environment. By integrating directly with your specific Workspace and Tenant context, the agent automatically retrieves and filters "New" security incidents based on your defined severity preferences (e.g., High, Medium). It then initiates a comprehensive assessment of the target user's security posture, efficiently distinguishing between benign anomalies and genuine identity threats without manual intervention.

Beyond basic triage, the agent executes five concurrent investigation streams to build a holistic view of the user's behavior. It analyzes authentication logs for signs of compromised credentials (such as impossible travel or token theft), evaluates insider risk indicators like data exfiltration, and scrutinizes MFA logs for fatigue attacks or bypass attempts. If the user holds elevated privileges, the agent performs a specialized deep-dive into admin activities and configuration changes. Finally, it synthesizes all findings into a unified opinion, providing security teams with a validated assessment and a prioritized remediation plan.

Inputs:

• Microsoft Sentinel Incidents (filtered by Status='New', Severity, and timeframe).

• Microsoft Entra ID (Azure AD) user, group, and service principal data.

• Identity Protection risk alerts, Sign-in logs, and Audit logs.

• Tenant-specific context (Workspace Name, Resource Group, Subscription ID).

Outputs:

• A comprehensive investigation report containing a unified verdict (Low, Medium, or High confidence of compromise).

• A consolidated summary of findings across compromised credentials, insider risk, and MFA integrity.

• A prioritized, bulleted list of actionable remediation steps (e.g., "Revoke active sessions", "Reset password").